Shopping Centers in California Are Spying on Customers for an ICE ContractorBy Phil Baker

How would you feel if the shopping center you frequent took a picture of your license plate and reported it to a government agency such as ICE — without your knowledge?

That’s exactly what’s happening in some of the shopping centers being run by the Irvine Company. The company manages 46 centers in California and has been collecting this information using automated license plate readers (ALPRs) provided by Vigilant Solutions. The information, including the plate number, time and GPS location, is being provided to U.S. Immigration and Customs Enforcement (ICE). The agency is able to receive near-real-time alerts when a targeted vehicle is spotted in a shopping center’s parking lot.

According to a recent disclosure reported by the Electronic Frontier Foundation, “The information only came to light due to a three-year-old law passed in California that requires ALPR operators—both public and private alike—to post their ALPR policies online. Malls in other states where no such law exists could well be engaged in similar violations of customer privacy without any public accountability.”

Update July 12, 2018. On July 11, Vigilant Solutions issued a press release disputing EFF’s report. We have posted the details and our response in a new post.

Update 10:45 a.m., July 11, 2018: The Irvine Company has disclosed the three shopping centers are Irvine Spectrum Center, Fashion Island, and The Marketplace. The local police departments are the Irvine, Newport Beach, and Tustin police departments.

Update 7:30 p.m. July 10, 2018: The Irvine Company provided The Verge with the following response.

A 36-year veteran of America’s Intelligence Community, William Binney resigned from his position as Director for Global Communications Intelligence (COMINT) at the National Security Agency (NSA) and blew the whistle, after discovering that his efforts to protect the privacy and security of Americans were being undermined by those above him in the chain of command. The NSA data-monitoring program which Binney and his team had developed -- codenamed ThinThread -- was being aimed not at foreign targets as intended, but at Americans (codenamed as Stellar Wind); destroying privacy here and around the world. Binney voices his call to action for the billions of individuals whose rights are currently being violated. William Binney speaks out in this feature-length interview with Tragedy and Hope's Richard Grove, focused on the topic of the ever-growing Surveillance State in America. On January 22, 2015: (Berlin, Germany) – The Government Accountability Project (GAP) is proud to announce that retired NSA Technical Director and GAP client, William "Bill" Binney, will accept the Sam Adams Associates for Integrity in Intelligence Award today in Berlin, Germany. The award is presented annually by the Sam Adams Associates for Integrity in Intelligence (SAAII) to a professional who has taken a strong stand for ethics and integrity. http://whistleblower.org/press/nsa-wh... Would You Like to Know More? Subscribe to the Peace Revolution podcast produced by Tragedy and Hope: http://www.PeaceRevolution.org USEFUL LINKS T&H dot com: http://www.TragedyandHope.com T&H online Research & Development community: https://www.tragedyandhope.com/subscr... Follow on Twitter: http://twitter.com/TragedyandHope Watch on YouTube: http://www.youtube.com/TragedyandHopeMag Like on Facebook: https://www.facebook.com/TragedyandHo... Also on Facebook: https://www.facebook.com/theultimateh... Link to Richard's "History Blueprint": https://www.tragedyandhope.com/the-br... ABOUT TRAGEDY AND HOPE: SUMMARY, PURPOSE, FORM, AND FUNCTION Tragedy and Hope provides a portal through which individuals can discover, identify, and integrate useful tools, resources, and activities which stimulate and fortify Cognitive Liberty, providing primary sources, research, and educational methods which facilitate consciousness. Tragedy and Hope's purpose is to enable individuals to research and form groups of independent thinkers to solve humanity's most pressing problems, by identifying the etiology (study of the cause-and-effect origins) and thus understanding our way toward the solutions we seek. Tragedy and Hope's form and function (free to the public) enables hundreds-of-thousands of people around the world (172 countries in 2014 alone), to experience open-source education without upper-limits, and it is therein where the solutions are discovered- by making the problems truly known and understood at a root-cause level. Tragedy and Hope creates, produces, and publishes educational content to help adults understand the world they live in and thereby, develop true self-confidence and serenity of mind; our content focuses on history, philosophy, economics, anthropology, science, communications, and every topic which pertains to learning how to survive and thrive in this world. Tragedy and Hope is funded by those who tune-in to our productions, and the members of the Tragedy and Hope online critical thinking and research community, who subscribe after witnessing the value provided, and voluntarily deciding to contribute in a way to ensure we can continue producing educational media with integrity and consistency. Sacrifice the Tragedy, Preserve the Hope. T&H: Re-Contextualizing History one Episode at a Time. Thank you for Tuning-In, and not Dropping-Out!

If Barthes can forgive me, “What the public wants is the image of passion Justice, not passion Justice itself.”

SAN FRANCISCO (AP) — Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.

An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used privacy settings that say they will prevent it from doing so.

Computer-science researchers at Princeton confirmed these findings at the AP’s request.

For the most part, Google is upfront about asking permission to use your location information. An app like Google Maps will remind you to allow access to location if you use it for navigating. If you agree to let it record your location over time, Google Maps will display that history for you in a “timeline” that maps out your daily movements.

Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects — such as a warrant that police in Raleigh, North Carolina, served on Google last year to find devices near a murder scene. So the company will let you “pause” a setting called Location History.

Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.

For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude — accurate to the square foot — and save it to your Google account.

The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.

Storing location data in violation of a user’s preferences is wrong, said Jonathan Mayer, a Princeton computer scientist and former chief technologist for the Federal Communications Commission’s enforcement bureau. A researcher from Mayer’s lab confirmed the AP’s findings on multiple Android devices; the AP conducted its own tests on several iPhones that found the same behavior.

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off,” Mayer said. “That seems like a pretty straightforward position to have.”

Google says it is being perfectly clear.

“There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services,” a Google spokesperson said in a statement to the AP. “We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called “Web and App Activity” and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.

When paused, it will prevent activity on any device from being saved to your account. But leaving “Web & App Activity” on and turning “Location History” off only prevents Google from adding your movements to the “timeline,” its visualization of your daily travels. It does not stop Google’s collection of other location markers.

You can delete these location markers by hand, but it’s a painstaking process since you have to select them individually, unless you want to delete all of your stored activity.

You can see the stored location markers on a page in your Google account at myactivity.google.com, although they’re typically scattered under several different headers, many of which are unrelated to location.

To demonstrate how powerful these other markers can be, the AP created a visual map of the movements of Princeton postdoctoral researcher Gunes Acar, who carried an Android phone with Location history off, and shared a record of his Google account.

The map includes Acar’s train commute on two trips to New York and visits to The High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem. To protect his privacy, The AP didn’t plot the most telling and frequent marker — his home address.

Huge tech companies are under increasing scrutiny over their data practices, following a series of privacy scandals at Facebook and new data-privacy rules recently adopted by the European Union. Last year, the business news site Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were off. Google changed the practice and insisted it never recorded the data anyway.

“They build advertising information out of data,” said Peter Lenz, the senior geospatial analyst at Dstillery, a rival advertising technology company. “More data for them presumably means more profit.”

The AP learned of the issue from K. Shankari, a graduate researcher at UC Berkeley who studies the commuting patterns of volunteers in order to help urban planners. She noticed that her Android phone prompted her to rate a shopping trip to Kohl’s, even though she had turned Location History off.

“So how did Google Maps know where I was?” she asked in a blog post .

The AP wasn’t able to recreate Shankari’s experience exactly. But its attempts to do so revealed Google’s tracking. The findings disturbed her.

“I am not opposed to background location tracking in principle,” she said. “It just really bothers me that it is not explicitly stated.”

Google offers a more accurate description of how Location History actually works in a place you’d only see if you turn it off — a popup that appears when you “pause” Location History on your Google account webpage . There the company notes that “some location data may be saved as part of your activity on other Google services, like Search and Maps.”

Google offers additional information in a popup that appears if you re-activate the “Web & App Activity” setting — an uncommon action for many users, since this setting is on by default. That popup states that, when active, the setting “saves the things you do on Google sites, apps, and services ... and associated information, like location.”

Warnings when you’re about to turn Location History off via Android and iPhone device settings are more difficult to interpret. On Android, the popup explains that “places you go with your devices will stop being added to your Location History map.” On the iPhone, it simply reads, “None of your Google apps will be able to store location data in Location History.”

The iPhone text is technically true if potentially misleading. With Location History off, Google Maps and other apps store your whereabouts in a section of your account called “My Activity,” not “Location History.”

Since 2014, Google has let advertisers track the effectiveness of online ads at driving foot traffic , a feature that Google has said relies on user location histories.

The company is pushing further into such location-aware tracking to drive ad revenue, which rose 20 percent last year to $95.4 billion. At a Google Marketing Live summit in July, Google executives unveiled a new tool called “local campaigns” that dynamically uses ads to boost in-person store visits. It says it can measure how well a campaign drove foot traffic with data pulled from Google users’ location histories.

Google also says location records stored in My Activity are used to target ads. Ad buyers can target ads to specific locations — say, a mile radius around a particular landmark — and typically have to pay more to reach this narrower audience.

While disabling “Web & App Activity” will stop Google from storing location markers, it also prevents Google from storing information generated by searches and other activity. That can limit the effectiveness of the Google Assistant, the company’s digital concierge.

Sean O’Brien, a Yale Privacy Lab researcher with whom the AP shared its findings, said it is “disingenuous” for Google to continuously record these locations even when users disable Location History. “To me, it’s something people should know,” he said.

In this report, we describe how Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake package delivery notification. We assess with high confidence that Abdulaziz’s phone was infected with NSO’s Pegasus spyware. We attribute this infection to a Pegasus operator linked to Saudi Arabia.

Key Findings

• We have high confidence that the cellphone of Omar Abdulaziz, a Saudi activist and Canadian permanent resident, was targeted and infected with NSO Group’s Pegasus spyware. Abdulaziz has been outspoken on an ongoing diplomatic feud over human rights issues between Canada and Saudi Arabia. The targeting occurred while Abdulaziz, who received asylum in Canada, was attending university in Quebec.

• During our recently published global mapping of NSO’s Pegasus infrastructure, we identified a suspected infection located in Quebec, Canada, operated by what we infer is a Saudi Arabia-linked Pegasus operator. We matched the infection’s pattern of life to the movements of Abdulaziz, and his phone, with his assistance. After examining his text messages, we identified a text message that masqueraded as a package tracking link. This message contained a link to a known Pegasus exploit domain.

• We are unaware of any legal authorization for the infection and monitoring of Omar Abdulaziz in Canada by a foreign government. If not properly authorized, the operators behind this targeting may have committed multiple Criminal Code offences, including willfully intercepting private communications contrary to section 184(1).

1. Summary

Israel-based “Cyber Warfare” vendor NSO Group produces and sells Pegasus mobile phone spyware suite. Pegasus customers can infect targets using Androids and iPhones by sending them specially crafted exploit links. Once a phone is infected, the customer has full access to a victim’s personal files, such as chats, emails, and photos. They can even surreptitiously use the phone’s microphones and cameras to view and eavesdrop on their targets.

Over the past two years, multiple reports have emerged showing how Pegasus was abused by multiple NSO Group customers to target civil society. In 2016, Citizen Lab published the first report on the use of Pegasus, Million Dollar Dissident, which detailed how award-winning human rights defender Ahmed Mansoor was targeted, likely by the government of the United Arab Emirates. In 2017, Citizen Lab reported abusive uses of Pegasus spyware in Mexico, where targets included lawyers, journalists, and politicians. In August 2018, Amnesty International reported that a Saudi dissident based abroad (later revealed to be Yahya Assiri), as well as an Amnesty researcher, were targeted with Pegasus. In addition, former president Ricardo Martinelli stands accused by the government of Panama of having used Pegasus during his tenure between 2009 and 2014 to systematically spy on political opponents and journalists.

In a September 2018 report titled Hide and Seek, we detailed our investigation into the global proliferation of Pegasus operators and infections. After scanning the Internet for Pegasus servers and grouping the 1,091 servers we found into 36 distinct operators, we used DNS cache probing to query Internet Service Providers (ISPs) around the world and identified 120 ISPs in 45 countries where we suspected Pegasus infections were located (Figure 1). Our technique was based on the assumption that Pegasus infections regularly “phone home” to their command and control (C&C) servers to exfiltrate information and receive new commands from their operator.

Our Hide and Seek investigation revealed an intriguing suspected infection in Quebec, Canada. We observed the infection moving between a consumer ISP and a university ISP, during the evenings and outside of the academic year. We linked this infection to an operator that we call KINGDOM, which was also responsible for the 2018 targeting of Saudi dissident Yahya Assiri and an Amnesty International researcher. Suspecting that the Canadian target was a Saudi-linked individual in Quebec, we contacted local members of the Saudi diaspora and attempted to identify a person whose movements fit the infection’s pattern. We found one match: Omar Abdulaziz, a university student with a regular pattern of evening activity. On two specific days, we were able to match the timing of his evening activity, and then his return home, to the movement of the infection between the two ISPs. We also examined Abdulaziz’s phone and found a fake package tracking notification SMS containing a Pegasus exploit link. These factors lead us to conclude with high confidence that Abdulaziz’s iPhone was infected with NSO Group’s Pegasus spyware.

Abdulaziz is a Canadian permanent resident and vocal critic of the Saudi government. In 2014, he was forced to seek asylum in Canada in the face of strong pressure from the Saudi government. Today, Abdulaziz is a university student in Quebec, where he continues to be an outspoken voice on human rights issues in Saudi Arabia. In August 2018, Saudi authorities threatened his brother with jail time in what Abdulaziz believes was an attempt to pressure him into silence. When he continued speaking out, two of his brothers and several of his friends in Saudi Arabia disappeared. Pegasus would have allowed the operators to copy Abdulaziz’s contacts, private family photos, text messages, and live voice calls from popular mobile messaging apps. The operators could have even activated his phone’s camera and microphone to capture activity, such as conversations, taking place in his home.

We are unaware of any legal authorization for the hacking and monitoring of Omar Abdulaziz in Canada by a foreign government. These actions may be contrary to multiple Criminal Code provisions, including willfully intercepting private communications, an indictable offence under section 184.

2. Omar Abdulaziz Targeted with Pegasus

Omar Abdulaziz is a prominent Saudi political activist who has been based in Canada since 2009. As a student at McGill University, Abdulaziz started a popular satirical news show on YouTube (Figure 3), which is highly critical of the Saudi government’s repressive tactics and human rights record. The show has garnered millions of views, and he has developed a large social media following. After the Saudi government withdrew his scholarship to study in Canada, Abdulaziz applied for asylum and was granted permanent resident status in Canada in 2014.

Abdulaziz continues to be outspoken about the Saudi government’s human rights record and has been particularly vocal and active during an ongoing diplomatic dispute between Canada and Saudi Arabia (See section 5), helping fellow Saudi students impacted by the dispute to claim asylum in Canada. Abdulaziz regularly appears in Canadian media, including a recent guest appearance on the Canadian Broadcasting Corporation (CBC)’s current affairs show, The Current, on August 10, 2018, where he said that Saudi authorities had entered his brother’s home in Saudi Arabia and “asked him to convince me [to] stop tweeting about what’s really going on between Canada and Saudi Arabia, or they’re going to send him to jail.” The Saudi government appears to have made good on the threat: later in August, Abdulaziz’s two brothers and a number of friends were arrested in Saudi Arabia. He believes that the arrests were an attempt to discourage him from speaking out further.

On a summer morning in 2018, Abdulaziz made a purchase on the online shopping website Amazon. Later that day he received a text message (Figure 4) purporting be a package shipment notification from the logistics company DHL. The URL in the message was from the domain sunday-deals[.]com. This domain belongs to a cluster that we previously identified as Pegasus exploit domains. Based on our prior research, we have high confidence that clicking on the link would result in the infection of the device with NSO’s Pegasus spyware. Abdulaziz, who says he uses a separate phone for his activism, told us that the message arrived on his personal phone. Abdulaziz recalled thinking that the message was related to his online shopping.

We first contacted and obtained the SMS (Figure 4) from Abdulaziz following an extensive global study of suspected Pegasus infections (Section 3), which identified an interesting Saudi-linked infection in Quebec.

3. DNS Cache Probing Leads us to Abdulaziz

On September 18, 2018, we published a report titled Hide and Seek, which describes how we scanned the Internet to generate a list of Pegasus spyware servers, used a technique that we call Athena to group the servers into 36 distinct Pegasus systems, and performed DNS cache probing of ISPs to identify locations from where suspected Pegasus infections were phoning home. In total, we identified 120 ISPs in 45 countries with likely infections (Figure 1) and 10 Pegasus systems whose operators were engaging in suspected cross-border monitoring (i.e., monitoring infected devices in more than one country).

That sign telling you how fast you’re driving may be spying on youBy Justin RohrlichOctober 1, 2018

The next time you drive past one of those road signs with a digital readout showing how fast you’re going, don’t simply assume it’s there to remind you not to speed. It may actually be capturing your license plate data.

According to recently released US federal contracting data, the Drug Enforcement Administration will be expanding the footprint of its nationwide surveillance network with the purchase of “multiple” trailer-mounted speed displays “to be retrofitted as mobile LPR [License Plate Reader] platforms.” The DEA is buying them from RU2 Systems Inc., a private Mesa, Arizona company. How much it’s spending on the signs has been redacted.

Two other, apparently related contracts, show that the DEA has hired a small machine shop in California, and another in Virginia, to conceal the readers within the signs. An RU2 representative said the company providing the LPR devices themselves is a Canadian firm called Genetec.

The DEA launched its National License Plate Reader Program in 2008; it was publicly revealed for the first time during a congressional hearing four years after that. The DEA’s most recent budget describes the program as “a federation of independent federal, state, local, and tribal law enforcement license plate readers linked into a cooperative system, designed to enhance the ability of law enforcement agencies to interdict drug traffickers, money launderers or other criminal activities on high drug and money trafficking corridors and other public roadways throughout the U.S.,” primarily along the southwest border region, and the country’s northeast and southeast corridors.

“There used to be an old police saying, ‘If you robbed a bank, please drive carefully,’” former NYPD Detective Sergeant and Bronx Cold Case Squad commander Joseph Giacalone told Quartz, explaining that if a getaway driver didn’t do anything to attract the attention of police and get pulled over, they usually had a half-decent chance of fleeing. “But that’s no longer in effect because you can drive slow, you can stop at every red light, but these license plate readers and surveillance cameras track your every movement.”

And therein lies the real issue: What is a game-changing crime-fighting tool to some, is a privacy overreach of near-existential proportion to others. License plate readers, which can capture somewhere in the neighborhood of 2,000 plates a minute, cast an astonishingly wide net that has made it far easier for cops to catch serious criminals. On the other hand, the indiscriminate nature of the real-time collection, along with the fact that it is then stored by authorities for later data mining is highly alarming to privacy advocates.

“License plate readers are inherently a form of mass surveillance,” investigative researcher Dave Maass of the nonprofit Electronic Frontier Foundation told Quartz. “You look at something like a wiretap and most of the time it’s looking for a specific person and capturing specific conversations with that person. But here they are collecting information on everybody, not all of whom have been accused of a crime, in case they may one day commit a crime. This is un-American.”

The DEA does not release how much of the data it collects is connected to crimes. The nonprofit American Civil Liberties Union of Maryland found that only 47 out of every 1 million plates scanned by police in the state, or 0.005%, were linked to a serious crime. The Atlanta PD captured data from 128.5 million license plates last year; 786,580 of those—0.6%—were suspected of having a connection to a crime. Of 22 million license plates recorded in Austin, Texas during that same period, 3,200 of them—0.01%—were linked to alleged criminal activity.

Still, it’s not the data collection itself that’s the issue, as much as what authorities do next with that information, explained Maass.

“The technology is fairly simple, but as they start collecting more and more data and applying more and more algorithms to that, you can get information about people’s travel patterns, where their doctor’s office is, where they sleep at night, or put in the address of a place and see who visited it: an immigrant health clinic, a medical marijuana facility, or even a [marijuana] grow [operation] that would be completely legal under state law but illegal under federal law,” Maass said. “You could [link someone to] an abortion clinic, any number of sensitive locations.”

Precise details of the DEA’s license plate reader program are extremely difficult to pry loose. The DEA declined to comment on either the program in general or its latest purchase of license plate readers; Sherman Green, the Department of Justice contracting officer handling the RU2 deal did not respond to an interview request.

Maass said the DEA augments its own data collection by buying access to commercial databases, including one maintained by Vigilant Solutions of Livermore, California. In January, the US Immigration and Customs Enforcement agency purchased access to Vigilant’s LPR data which reportedly allows investigators to trace plates going back five years.

Some LPR cameras can capture “contextual photos,” which include shots of the driver and passengers. Companies like Palantir Technologies, which was co-founded by controversial venture capitalist Peter Thiel in 2003, are incorporating facial recognition technology into license plate reader software; officers can access Vigilant’s “Intelligence-Led Policing Package” on their mobile phones.

Law professor Andrew Ferguson, a former public defender and author of 2017’s The Rise of Big Data Policing: Surveillance, Race, and the Future of Law Enforcement, said the DEA “finds itself at the intersection of new technology scandals [accusations of secret, and possibly illegal, bulk data collection by the DEA have surfaced in recent years] because they maintain both domestic and international jurisdiction and thus can argue the need to use surveillance tools that would not be acceptable in purely local law enforcement.”

“For example, most other domestic law enforcement agencies couldn’t claim any right to know information from secret NSA wiretaps…but because the DEA can claim that they are tracking international drug traffickers and thus need to know information obtained outside the states, they can use invasive techniques domestically.” In addition, the DEA has largely worked under the radar, as our national approach to large scale drug prosecutions has not changed from administration to administration. The DEA has been funded, and with federal funds comes playing around with new surveillance technologies.”

Jay Stanley, a senior policy analyst with the ACLU’s Speech, Privacy, and Technology Project, told Quartz he thinks it’s wrong for the government to arbitrarily collect such a broad swath of data in the first place. Holding onto it for future analysis only makes things worse, he said.

However, the law enforcement community at large argues that none of this data is being used to spy on everyday Americans.

“We don’t know when somebody’s going to commit a crime, we don’t know when somebody’s going to run over somebody and take off,” said Joe Giacalone. “So that data should be there forever. We never know when we’re going to need it.”

Kabrina Chang, a professor of law and ethics at Boston University’s Questrom School of Business told Quartz, “We as a society have to think long and hard about the consequences. I don’t think anyone would begrudge law enforcement help in doing their jobs; we all want them to do their jobs really, really well. But what are we willing to give up?”

DEA expects to take delivery of its new license plate-reading speed signs by October 15.

Using Wi-Fi to “see” behind closed doors is easier than anyone thoughtWith nothing but a smartphone and some clever computation, researchers can exploit ambient signals to track individuals in their own homes.

by Emerging Technology from the arXiv November 2, 2018

Wi-Fi fills our world with radio waves. In your home, in the office, and increasingly on city streets, humans are bathed in a constant background field of 2.4- and 5-gigahertz radio signals. And when people move, they distort this field, reflecting and refracting the waves as they go.

That’s given more than one group of researchers an interesting idea. In theory, they say, it ought to be possible to use this changing electromagnetic field to work out the position, actions, and movement of individuals. Indeed, several groups have created imaging systems that use Wi-Fi to “see” through walls.

But all these systems have drawbacks. For example, they rely on knowing the exact position of the Wi-Fi transmitters involved and need to be logged in to the network so that they can send known signals back and forth.

That isn’t possible for the ordinary snooper or peeping tom, who might typically have access only to off-the-shelf Wi-Fi sniffers such as those built into smartphones. This kind of set-up is just too basic to reveal any useful detail about what goes on behind closed doors, other than the presence of the Wi-Fi network itself.

At least, that’s what everybody thought. Today that changes thanks to the work of Yanzi Zhu at the University of California, Santa Barbara, and colleagues. These guys have found a way to see through walls using ambient Wi-Fi signals and an ordinary smartphone.

They say the new technique allows an unprecedented invasion of privacy. “Bad actors using smartphones can localize and track individuals in their home or office from outside walls, by leveraging reflections of ambient Wi-Fi transmissions,” they say.

First some background. If humans were able to see the world as Wi-Fi does, it would seem a bizarre landscape. Doors and walls would be almost transparent, and almost every house and office would be illuminated from within by a bright light bulb—a Wi-Fi transmitter.

But despite the widespread transparency, this world would be hard to make sense of. That’s because walls, doors, furniture, and so on all reflect and bend this light as well as transmitting it. So any image would be impossibly smeared with confusing reflections.

But this needn’t be an issue if all you are interested in is the movement of people. Humans also reflect and distort this Wi-Fi light. The distortion, and the way it moves, would be clearly visible through Wi-Fi eyes, even though the other details would be smeared. This crazy Wi-Fi vision would clearly reveal whether anybody was behind a wall and, if so, whether the person was moving.

That’s the basis of Zhu and co’s Wi-Fi-based peeping tom. It looks for changes in an ordinary Wi-Fi signal that reveal the presence of humans.

The challenge is actually even harder than described, because Wi-Fi sniffers don’t produce an image at all. The data that Zhu and co use is just a measurement of the signal strength at a specific location. That doesn’t tell you anything about the location of the transmitter. And without knowing that, it’s impossible to say where any human that distorts the field would be.

So the first step in the researchers’ approach is to locate the Wi-Fi transmitter. They do this by measuring the change in the signal strength as they walk around outside the target building or room. Indeed, they have created an app that uses the smartphone’s built-in accelerometers to record this movement and then analyzes the change in signal strength as they move. In that way, it is possible to number-crunch the position of the transmitter, even in the presence of numerous reflections and distortions.

It is even possible to work out exactly where the transmitter sits inside a house, because floor plans of most homes and offices in the US are downloadable from places such as real estate websites.

The researchers say that by walking back and forth a few times outside a room or building, they can reliably locate the transmitter. “We found that consistency check across 4 rounds of measurements is sufficient to achieve room level localization of 92.6% accuracy on average,” they say.

Having done that, it’s just a question of waiting. Provided nothing moves inside the target building, the Wi-Fi signal will be constant. But any small movement changes the signal in a way that is straightforward to measure.

Zhu and co show how various movements change the signal in different ways. For example, opening a door changes the field in two adjacent rooms and thus is straightforward to spot. Walking around creates large distortions, and even an action like typing creates small changes that a smartphone Wi-Fi receiver can pick up.

The team go on to say that they have tested this approach using Nexus 5 and Nexus 6 Android smartphones to peer into 11 different offices and apartments that the team had permission to observe, many of which contained several Wi-Fi transmitters.

Additional transmitters improve the accuracy of the approach. “We see that with more than 2 Wi-Fi devices in a regular room, our attack can detect more than 99% of the user presence and movement in each room we have tested,” say the researchers.

It’s not hard to imagine how a malicious actor might use this to work out if a building was occupied or empty.

The team say there are various defenses against this type of attack, such as geofencing Wi-Fi signals, but these are difficult to implement and have limited effectiveness. The most promising form of defense seems to be adding noise to the signals; the researchers are hoping to develop this in more detail in future.

In the meantime, this work suggests that the mere presence of Wi-Fi signals is a significant risk to privacy. “While greatly improving our everyday life, [wireless transmissions] also unknowingly reveal information about ourselves and our actions,” say Zhu and co. For the moment, this risk has been largely overlooked. That will need to change quickly.

THE AGE OF SURVEILLANCE CAPITALISMThe Fight for a Human Future at the New Frontier of PowerBy Shoshana Zuboff691 pp. PublicAffairs. $38

How Tech Companies Manipulate Our Personal Data

Canadian politicians don’t attract much notice this side of the border, but recently I’ve been heeding the words of Charlie Angus. A member of Canada’s Parliament for the New Democratic Party, Angus is a longtime punk rocker and activist with ties to the Catholic Worker movement; he’s also a sharp critic of the growing power of Big Tech. In late November, Angus attended a hearing in British Parliament in which representatives from nine countries took turns interrogating a Facebook vice president about the company’s proliferating scandals (an empty chair sat before a Mark Zuckerberg nameplate, marking the chief executive’s absence).

For Angus, fake news and data-based manipulation — exemplified by the shadowy work of Cambridge Analytica, whose voter-profiling scheme is often cited as an important factor in Donald Trump’s 2016 victory — were mere symptoms of a larger malady. “The problem is Facebook,” he declared. “The problem is the unprecedented economic control of every form of social discourse and communication.” It was one of Angus’s colleagues, the Canadian member of Parliament Bob Zimmer, who may be the one who gave the problem a name: “Surveillance capitalism,” he said, with its vast concentrations of data and influence over human life, required new laws and new forms of regulation.

Both Angus and Zimmer were right, but before we can establish a firm legislative or regulatory agenda, we have to learn what surveillance capitalism is, as we come to terms with the novel form of economic and social power represented by Facebook, Google and a handful of other tech behemoths privy to our every click and utterance. Enter, as a critical guide, Shoshana Zuboff, who has emerged as the leading explicator of surveillance capitalism. A Harvard Business School professor emerita with decades of experience studying issues of labor and power in the digital economy, Zuboff in 2015 published a paper, “Big Other: Surveillance Capitalism and the Prospects of an Information Civilization,”** which has since become an essential source for anyone looking to reckon seriously with what she described as a distinct, emerging economic logic. Now she has followed up that paper with a doorstop of a book, an intensively researched, engagingly written chronicle of surveillance capitalism’s origins and its deleterious prospects for our society.

According to Zuboff, surveillance capitalism distinguishes itself from its industrial forebear as “a new economic order that claims human experience as a free source of raw material.” We are the resource to be mined; the billion-dollar profits of Facebook and Google are built on a general accounting of our lives and everyday behavior. But surveillance capitalism is also many other things: “a parasitic economic logic … a rogue mutation of capitalism … a new collective order based on total certainty” and “an overthrow of the people’s sovereignty.” All this may sound a little heady, like perhaps an overseasoned stew of po-mo economic jargon, but Zuboff will have you asking for another helping long before the book’s end.

Surveillance capitalism depends on the constant gathering of “behavioral surplus,” or the data exhaust that we produce as part of the normal course of web browsing, app use and digital consumption. All of it is potentially revealing, allowing companies to make sophisticated inferences about who we are, what we want and what we’re likely to do. As the economist Hal Varian noted in 2002, “Every action a user performs is considered a signal to be analyzed and fed back into the system.” That means that there is potentially no end to a surveillance capitalist’s extractive appetite, which is why — in the name of more efficient services and relevant ads — companies are constantly pursuing new, more granular data streams in our homes, workplaces and bodies. Unlike oil, to which it’s often compared, personal data is potentially limitless, but its extraction and consumption may be just as toxic, as we’re only beginning to understand.

Under the regime of surveillance capitalism, it is not enough simply to gather information about what people do. Eventually, you have to influence behavior, beyond the simple suasion practiced by targeted ads. It’s not about showing someone the right ad; you have to show it at the right place and time, with the language and imagery calibrated for precise effect. You have to lead people through the physical world, making them show up at the sponsored pop-up store or vote for the preferred candidate. Armed with a veritable real-time feed of a user’s thoughts and feelings, companies are beginning to practice just this kind of coercion, which is why you might see makeup ads before a Friday evening out or why inducements from a personal injury lawyer might pop up on your phone as you sit in a hospital waiting room. When we want things — health information, travel schedules, a date — is also when we are most vulnerable, when intimate data yield themselves for corporate capture. “The result,” as Zuboff notes, “is a perverse amalgam of empowerment inextricably layered with diminishment.” We seem ever more exposed to and dependent on surveillance capitalists, our benevolent info-lords, but their operations are defined by opacity, corporate secrecy and the scrim of technological authority.

More at link.

**https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754

Big Other: Surveillance Capitalism and the Prospects of an Information Civilization

This article describes an emergent logic of accumulation in the networked sphere, ‘surveillance capitalism,’ and considers its implications for ‘information civilization.’ Google is to surveillance capitalism what General Motors was to managerial capitalism. Therefore the institutionalizing practices and operational assumptions of Google Inc. are the primary lens for this analysis as they are rendered in two recent articles authored by Google Chief Economist Hal Varian. Varian asserts four uses that follow from computer-mediated transactions: ‘data extraction and analysis,’ ‘new contractual forms due to better monitoring,’ ‘personalization and customization,’ and ‘continuous experiments.’ An examination of the nature and consequences of these uses sheds light on the implicit logic of surveillance capitalism and the global architecture of computer mediation upon which it depends. This architecture produces a distributed and largely uncontested new expression of power that I christen: ‘Big Other.’ It is constituted by unexpected and often illegible mechanisms of extraction, commodification, and control that effectively exile persons from their own behavior while producing new markets of behavioral prediction and modification. Surveillance capitalism challenges democratic norms and departs in key ways from the centuries long evolution of market capitalism.